Configure Remote SSL VPN in FortiGate with CLI

Leave a Comment / By /

Steps to configure Remote SSL VPN in FortiGate with CLI

Create a ssl.root interface for SSL VPN Tunnel

config system interface
 edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "Remote SSL VPN interface"
end

Create an IP Pool called SSLVPN_IP_POOL (10.212.134.200 – 10.212.134.210) to assign IP Addresses for Remote SSL VPN Users

config firewall address
    edit "SSLVPN_IP_POOL"
        set type iprange
        set associated-interface "ssl.root"
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
end

Create an local user called sslvpn with password defined

config user local
edit "sslvpn"
        set type password
        set passwd P@ssw0rd
    end

Create a group called SSLVPN_GROUP and assign sslvpn as member

config user group
 edit "SSLVPN"
        set member "sslvpn"
 end

Enable Tunnel Mode and assign SSLVPN_IP_POOL in Full Access Profile

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ip-pools "SSLVPN_IP_POOL"
end

Configure SSL VPN with the following

  • SSL Certificate to be used – Default is using FortiGate Selfsign Certificate
  • IP Addresses to be assigned to Remote SSL VPN Client
  • SSL VPN Port No – Default is 443, and we had changed it to 12443
  • Source Interface – External Interface
  • Change the Default-Portal to full-access
  • DNS Servers – Point to Internal AD/DNS Server for name resolution
config vpn ssl settings
    set servercert "AventisLab.com"
    set tunnel-ip-pools "SSLVPN_IP_POOL"
    set port 12443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    set dns-server1 192.168.1.200
    set dns-server2 192.168.1.201
    set dtls-tunnel enable
end

SSL VPN Settings in Web UI

Configure Remote SSL VPN in FortiGate with CLI

Create the following firewall policy to allow traffics from SSLVPN to LAN and via visa

  • SSLVPN-LAN – allow traffic from SSLVPN tunnel to LAN for SSLVPN_GROUP only
  • LAN-SSLVPN – allow traffic from LAN to SSLVPN tunnel for SSLVPN_GROUP only
config firewall policy 
edit 100
        set name "SSLVPN-LAN"
        set srcintf "ssl.root"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "192.168.1.0"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "SSLVPN_GROUP"
    next
    
    edit 101
    	set name "LAN-SSLVPN"
        set srcintf "internal"
        set dstintf "ssl.root"
        set srcaddr "192.168.1.0"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "SSLVPN_GROUP"
    end

Configure the FortiClient with the FQDN / IP Address of WAN Interface with custom port = 12443 with username = sslvpn

Configure Remote SSL VPN in FortiGate with CLI

Login to SSL VPN successfully

Configure Remote SSL VPN in FortiGate with CLI

Some useful commands to troubleshoot on Remote SSL VPN

Show Active SSL VPN users with execute vpn sslvpn list

FG60E # execute vpn sslvpn list
SSL VPN Login Users:
 Index   User    Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       sslvpn          1(1)            296     14.1.227.206   0/0     0/0

SSL VPN sessions:
 Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       sslvpn          14.1.227.206    670     24470/35484    10.28.28.10

To disconnect SSL VPN User – Replace the with the correct ID

execute vpn sslvpn del-tunnel <index>

To disconnect all SSL VPN Users

execute vpn ssl del-all tunnel

Reference Link

  1. SSL VPN full tunnel for remote user

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top